So you have more Yubikeys than sense? Great, me too! Let’s make a multi-tier certificate authority!
By the end of this article, we’ll have a fully-functioning two-tier CA where the private keys for the CAs are stored on Yubikeys. In addition, we’ll make sure that we generate the private keys directly on the Yubikeys for zero chance of key compromise. All keys will be elliptic-curve (ECC), and–barring mistakes on my part–the CA should fully adhere to RFC 5759, NSA’s Suite B Certificate and Certificate Revocation List (CRL) Profile.